Krebs on Security

In-depth security news and investigation

Crooks Seek Revival of ‘Gameover Zeus’ Botnet

Cybercrooks today began taking steps to resurrect the Gameover ZeuS botnet, a complex crime machine that has been blamed for the theft more than $100 million from banks, businesses and consumers worldwide. The revival attempt comes roughly five weeks after the FBI joined several nations, researchers and security firms in a global and thus far successful effort to eradicate it.

The researchers who helped dismantle Gameover Zeus said they were surprised that the botmasters didn’t fight back. Indeed, for the past month the crooks responsible seem to have kept a low profile.

But that changed earlier this morning when researchers at Malcovery [full disclosure: Malcovery is an advertiser on this blog] began noticing spam being blasted out with phishing lures that included zip files booby-trapped with malware.

Looking closer, the company found that the malware shares roughly 90 percent of its code base with Gameover Zeus. Part of what made the original GameOver ZeuS so difficult to shut down was its reliance in part on an advanced peer-to-peer (P2P) mechanism to control and update the bot-infected systems.

But according to Gary Warner, Malcovery’s co-founder and chief technologist, this new Gameover variant is stripped of the P2P code, and relies instead on an approach known as fast-flux hosting. Fast-flux is a kind of round-robin technique that lets botnets hide phishing and malware delivery sites behind an ever-changing network of compromised systems acting as proxies, in a bid to make the botnet more resilient to takedowns.

Like the original Gameover, however, this variant also includes a “domain name generation algorithm” or DGA, which is a failsafe mechanism that can be invoked if the botnet’s normal communications system fails. The DGA creates a constantly-changing list of domain names each week (gibberish domains that are essentially long jumbles of letters).

In the event that systems infected with the malware can’t reach the fast-flux servers for new updates, the code instructs the botted systems to seek out active domains from the list specified in the DGA. All the botmasters need to do in this case to regain control over his crime machine is register just one of those domains and place the update instructions there.

Warner said the original Gameover botnet that was clobbered last month is still locked down, and that it appears whoever released this variant is essentially attempting to rebuild the botnet from scratch. “This discovery indicates that the criminals responsible for Gameover’s distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers and takedowns in history,” Warner said.

Gameover is based on code from the ZeuS Trojan, an infamous family of malware that has been used in countless online banking heists. Unlike ZeuS — which was sold as a botnet creation kit to anyone who had a few thousand dollars in virtual currency to spend — Gameover ZeuS has since October 2011 been controlled and maintained by a core group of hackers from Russia and Ukraine. Those individuals are believed to have used the botnet in high-dollar corporate account takeovers that frequently were punctuated by massive distributed-denial-of-service (DDoS) attacks intended to distract victims from immediately noticing the thefts.

According to the Justice Department, Gameover has been implicated in the theft of more than $100 million in account takeovers. According to the U.S. Justice Department, the author of the ZeuS Trojan (and by extension the Gameover Zeus malware) is allegedly a Russian citizen named Evgeniy Mikhailovich Bogachev.

For more details, check out Malcovery’s blog post about this development.

This entry was posted on Thursday, July 10th, 2014 at 7:31 pm and is filed under A Little Sunshine, The Coming Storm.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

49 comments

A better explanation of what Fast Flux does, is the dynamic and multiple use of A names (IP numbers with PTR)) that constantly change over time because of very short T.T.L. (Time to live) domain name settings . The only way to take the domain names down is either by way of the name server and or the domain registry.

It’s pretty easy to understand fast-flux. You see them in bank Phishing scams with the newly registered domain name having around ten IP (internet protocol ) numbers that continuous or dynamically cycle the different hosting locations one right after the other.

Just think of it as a domain that changes hosting location based on a predetermined time increment, over and over again. If one host fails then the next one is cycled through to reach the site location or in the articles case, the C&C server.

The DGA, creates the new fast flux domain name and just cycles until it finds a C&C internet protocol number that it can get new information (in the above case using P2P) from so that it can download the malware onto the host computer.

@vbiqvitovs: I don’t think so. The malware is set up to go through a different list of gibberish names every week. The “bad guys” can determine which gibberish names are on the current list. When necessary, (because their other sites have been taken over) they can register any one of them and get back control.

First, these machines are running software as administrator(root/god/system), so they could update the time if necessary. most systems have support for NTP (network time protocol, a way of syncing the local computer clock to other computers). even if you did have your computer running w/ a desynced clock, when this evil software takes over your computer, it could fix your clock.

Second, if most computers happened to be off by some fixed shift, the owners of the botnet could register based on that other date.

Third, computers rely on well run clocks in order to decide whether to trust web sites. HTTPS is built on top of certificates which include a “Not-Before” and a “Not-After” field. That certificate is in turn signed by another certificate which also includes a “Not-Before” and a “Not-After”, and so on until a root certificate (or Trust Anchor) is reached. All certificates leading to the trust anchor must have a Not-After which is after and a Not-Before which is before . Your browser will reject any server trying to present a certificate which violates these constraints (it will often report that the certificate has expired).

Part of the reason behind this design is to avoid maintaining statements listing every previous certificate as invalid. Another part is that there’s an understanding in cryptology that while I might be able to keep a secret for a few years, eventually with brute force you’ll be able to guess my secret. By ensuring that certificates have fairly short lifespans, we’re protected from attacks which take advantage of long periods of time being available.

That’s certainly why I am here. I know nothing about this stuff but pick up something from each article. Epson tech support contractor Ratchet Systems spent over 4 hours logged into my system today trying (successfully) to save it after I installed a new Epson WF-3250 yesterday and everything shortly went to hell. It wasn’t just driver error because all my restore point files were gone. I still don’t know if malware got in during or shortly after the install or if the Epson software caused it. I know that part of it was Epson wi-fi software because I lost internet access immediately upon installation. The more these experts share the better off we all are.

Its likely that the malware was already in the computer, and the installation of the epson caused a conflict between the os and the malware. These guys wouldn’t be as widespread as they are if people knew they were infected. Their goal is to tip toe around the system without you noticing any changes. I’ve had several clients who have been infected for years, and it usually isn’t apparent until there is a change to the system (in your case the epson).

Thank you for presenting your information in a way that allows readers to understand what you want them to understand. There is always someone who thinks they are smarter and could do it better but fails to realize that when writing for the public it needs to in terms that all people with an interest in your subject can understand. The phrase “seeing beyond one’s own nose” comes to mind.

Botnet takedowns, unless they involve putting the botmasters in jail, are not very effective. GOZ was associated with the Cutwail spambot, so I took a look at spam levels after the takedown to see if there was any impact. For two weeks after the takeover, the seven-day average spam volume detected by the Cloudmark Global Threat Network, and an increasing trend that we had seen in spam volumes through the previous couple of months has been reversed. However, it then started to increase again, and by the end of the June was back to the levels we were seeing in late May.

For botmasters, newly infected machines are more valuable than machines that have been on the network for a while. There are new bank account credentials to capture, an IP address to send spam from that is not yet blacklisted, and the one time bonus of ransomware installation. So, the value associated with a botnet depends on the rate of new infections and not the size. Taking down a botnet like GOZ did stop new infections for five whole weeks, but now that the botmasters have found a new way to spread the infection (probably renting time on some other botnet to send spam) they are back in business, and their earnings will soon be back up to previous levels.

Compare this with the recent Lecpetex takedown spearheaded by Facebook. In that case they identified the criminals and worked with law enforcement in Greece to make sure they were arrested. Lecpetex was nowhere near as big as GOZ, but now it is gone for good. Admittedly, it is hard to persuade law enforcement in Russia and the Ukraine to take action against cybercriminals who do not threaten their own citizens, but this is the only effective way to perform botnet takedowns.

You’re right. I think all botnet takedowns need to take place in conjunction with arrests, else it’ll always only be temporary.

I suppose it’s questionable if arrests are even necessarily that effective. But taking down a botnet and arresting the owner at the same time would probably make it very hard for someone else to take the reins, as long as the operator doesn’t get bail and the takedown prevents anyone else from setting up new C2 infrastructure that the bots can find.

I was thinking, can’t some smart person write a, ill call it white malware, that will fix all the boxes that are compromised?

Also I think the US should send black ops to just assassinate these guys in Russia. Hiding behind the Russian wall (and China, Ukraine, and Others) hacking at will, while the government probably encourages it.

Even if we catch them they might get what 4 years for the 100 million they stole. Why not give them a year for every million. That may put them where they need to be, someones jail bitch for 100 years.

“Also I think the US should send black ops to just assassinate these guys in Russia. Hiding behind the Russian wall (and China, Ukraine, and Others) hacking at will, while the government probably encourages it.”

What if “Russia, China, Ukraine, and ‘Others'”, decide to send some “Black Ops” of their own, to “assassinate” people in America, that (for reasons good, bad or indifferent), the leaders or police agencies of those countries, have fingered for “elimination”? You obviously have been watching too many Hollywood movies; unfortunately, the real world isn’t a Western, and the guys with the white hats don’t always have bigger guns than the ones with the black hats.

The unilateralist arrogance of Americans like you, in making nonsense threats like the one depicted above, never ceases to amaze me. Contrary to what you (evidently) believe, the United States is NOT an “exceptional” country and it has no special privileges to break laws or act in a manner that would be condemned, if undertaken by other countries.

If we are to deal with cyber-crime, we will need to take the difficult, lengthy process of engaging with — and, critically, COMPROMISING with — the political leadership of the nations that harbor the cyber-criminal gangs.

The world doesn’t dance to America’s unilateral tune. Get used to it, because it’s reality. Put away your fetish for violence as a quick and easy fix for all problems and learn to talk to people… even those with whom you disagree. Send teams of assassins into places like Russia, and you may find a few guns pointing right back at… YOU.

And what non-exceptional country do you hail from? I’d be willing to bet somewhere in Europe based on your hate and jealousy. The US has been forced for years to play world policeman because cowards like you don’t have the backbone to do any heavy lifting, so you maybe you should stick to the topic and STFU

So we should roll over and let Russia invade Ukraine and all its neighboring countries, so the US can reclaim a couple cybercriminals who didn’t ante up for the latest round of bribes to Russian officials?

Nobody should cooperate with criminals. The world tried that with Germany in the 1930s and look where that got us.

Does anyone seriously think theft of money is deserving of the death penalty? And in this case, it’s a bit closer to theft of money from banks (due to insurance and reimbursement), not necessarily from individuals.

So, the problem is that while one could /try/ to write software to clean up a given system, that software would be just as unlawful as the software that installed itself into the system in the first place. You’re subject to the same laws against unauthorized access.

Now, consider that Microsoft releases regular software updates, which are usually designed to just fix their own bugs. Regularly there are announcements of many boxes which are bricked because of these updates, and people scream at Microsoft about them. At least one, and I think a couple of these bricked cases was because of a perfectly reasonable update from Microsoft which happened to be incompatible w/ malware which was affecting systems. Had Microsoft known about the malware, they could have made their software compatible w/ it… (actually, what Microsoft does there is require you to accept a license agreement which lets them run a malware cleanup, so that cleanup stage would have fixed the malware first before the update)

Note: Microsoft gets explicit permission before going after malware on computers you own, because otherwise it could get sued.

Heck, when Microsoft took over No-IP recently, they ended up w/ a lawsuit.

Anyway, the above examples are where Microsoft, a rather large player w/ lots of software experience hasn’t had a perfect track record of dealing w/ systems. Most other people will do an even worse jobs, and will probably lose in court cases, because they’ll accidentally break something — potentially in a hospital or bank.

The only time you have any entity actively doing stuff is when they have laws which authorize it.

Ah, but one thing using Microsoft as the example: read the EULA and you don’t own the software. They can make updates, patches, fixes and your running the OS means you agree.

Litigation make find something but in the end, the flaw is Windows and the users uninformed using it.

The facial expressions of the house wife or husband that owns an infected PC when you explain to them that “allowing your AV to expires, clicking on links you have no idea who is at the other end, allowing no password, etc, is why your machine is infected”.

They can hide the address of the servers and rotate them around frequently, but they almost always use a set number of ports to listen on. When a scan shows these ports open or a traffic sample tapped near an ISP egress shows port traffic to a particular device is higher than previous base lines you can bet you have found the C&C or at least a proxy node.

That said we normal engineers have to wear our white hats and hope those with the access and rights to examine these patterns will also help to find the bad guys.

No money in it for an ISP to protect customers, plus it is probably not entirely legal to run the kind of scans needed to find and root out any one botnet.

The Russian have had a Naval Base in the Black Sea for about 200 years.
To send in US Naval personnel to remove a person from a boat in the Black Sea would need a U.S Naval ship to provide a platform. There are many nations which have coastlines on the Black Sea which would not approve of any such naval action by the U.S in their waters. The solution put forward results from views put forward by News Media worldwide and merely show that they have no training in History or Geography in schools of Journalism . But we have the internet and should use it to check facts and assumptions and not rely on soundbytes.

No not really. Fast-fluxing is actually that’s not a bad heuristics for flagging malware. E.g., if an application contacts nine dead domains and then a live one it should be quarantine. Hell, if the domain is less than a few months old… quarantine it.

If this bot was so successful in earning millions why would anyone think it wouldn’t be tried again? I think we have to assume its in the wild for eternity or until technology changes, but not because some people got caught.

I think I have a stupid question, but what bothers me is that it can take time and money to register a domain name.

First of all, please let me thank Gary Warner for the link to the explanation, but that still does not answer my stupid query.

I own two domains (clearplastic.com and allyn.com). When I registered them, it cost me $10.00 per domain and it tood about two or three days to get the domain’s name servers properly set up; time taken up by coordination between the register and my hosting ISP.

Also, the register wanted to know why I wanted to register these domains. I tried to register a third domain (tabor.edu) for my private h/2014/07/new-gameover-zeus-variant-uses-fastflux.htmligh school, but the register would not let me because it is not of a college.

I would *think* that if I tried to register some gibberish for a domain name (something like sdfjkljklsdfjklsdfsdf.edu) I would be challenged.

I too find the quick registration capabilities of these spammers interesting, something I am not familiar with. Your comments on domain name registration are in line with my understanding as well. When I think of Domain name registration I think of the easy method of going to “Go Daddy” or something similar, then with the domains, going to a web hosting IP company and setting up a site. Unfortunately I cannot answer your question. I too would like to know how this is done.

We used to see a lot of fast flux hosting with sites distributing Storm worm as well as the old “Canadian Pharmacy” domains. It eventually made them more vulnerable because it was easy to simply do a DNS query every few seconds and get a list of all the IPs they were using — which were all compromised computers — and produce a report sorted by country and hosting company. It’s easier to get the police in another country interested in paying a visit to registrars that register those malicious domains if you can provide them a list of victims in their own country.

“This discovery indicates that the criminals responsible for Gameover’s distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers and takedowns in history”

Wow, I’m shocked. They only made 100 million dollars. I’m sure they are just about to give up.

ZueS isn’t just affecting banks. My husband and I are victims and it cost my husband his job in March this year. He worked from home for Apple as a tier 2 tech rep. He was let go due to the fact that he no longer had an adequate and efficient workspace after the malware ruined three work macs in a span of a week. We couldn’t stop the infection in time. We have a 2 year old with a heart defect and a 6 year old and I am an elementary teacher. Yeah, I’d say we suffered pretty hard from ol’ ZueS.